Posting this message — “Want to buy some profile dumps. Are there any? I’m ready to pay in Bitcoins” — in three ‘TOR NETWORK’ message boards, hidden in the dark web, my wait was over after nearly 20 hours when an Anonymous asked in a ‘TORCHAN’ board (http://zw3crggtadila2sg.onion/): “How do we know you are not an FBI scum?” A real scummy question indeed. I wish I had a gentle reply! It’ll attract more slang designed only for the world wide web if you can’t prove that you’re not really an “FBI scum”. Other boards bore no fruit, not in the 20-hour deadline I had set for myself knowing that it was too short.
I again entered the web this time to get some tips about the ‘biggest data heist’ that had shaken the world a few months ago where one billion Yahoo! user profiles were stolen and sold to three parties for a hefty price and as per security farms, the hoaxers were still hanging around. Is anyone still lurking behind the darkness to sell some more staff? I just tried my luck to trace. I wish I had some luck and some leads.
Waiting for 20 hours is not enough, you need to wait for long to take every precaution possible to hide your IP before moving towards any illegitimate transaction. Considering such transactions, the year 2016 saw a record rate of increasing cyber attacks and data theft; the Yahoo data breach was the biggest among them. It is not only the biggest data heist in web history, but it has some more serious implications for future generations. The disaster has just begun; it is personal and financial.
Forget about the rest of the world, in India, cyber crimes registered under IPC went up to nearly 50 per cent last year.
When a giant organisation loses the user profile database because of hacking, worst hit are those individuals who don’t know the ‘ABCD’ of cyber security. They instantly become soft targets for Phishing attacks and social engineering and the news of individual financial losses are rarely published.
Actually anyone could buy anything in the web through the ‘TOR NETWORK’ and the insatiable
appetite could titillate from ‘anything to anybody’. And that was the reason why after three years the stolen Yahoo! data was put in the web marketplace by a black hat hacker who goes with the pseudo name, ‘Tressa88’.
It all started the same way on one fine morning in March last year. The date was March 25, 2016 and the time (as shown on the forum board) was 05.28 hours. It must have been early morning in Russia when the black hat hacker, Tressa88, logged in and hinted about the Yahoo! data ‘dumps’ for the first time. The language appeared to be Russian indeed and it was a Russian message board running undercover.
Who is Tressa88? The black hat hacker claimed, “I am a very old inhabitant of the network:) and that was true.” Why the name Tressa88? The hacker announced in a chat that it is not his real name, but the name of “a whore from Australia”. The director of Eastern European research and analysis for the security firm, Flashpoint Intel Andrei Barysevich, claimed that behind the alias Tessa88 there are actually two people, perhaps a female and a male. It is quite likely that behind this alias an underground group lurks in shadows.
Tressa88 posted the first message in Russian and the first few lines in English translation were like this: [Only registered and activated users can see links]
For a review 10% discount
Important:! All goods in EMEIL
format; PASS or a HASH
Only fresh and 100% private boxes
Shell for mailing. With the criteria of sending and delivery pisma._3 $ _1
1) VK.COM_137.000.000 email
accounts; pass_pfone; pass
2) MOBANGO_6.000.000 entries id: email; pass
3) MYSPACE_380.000.000 id records: mail: hash…
Since we’re not registered, we could not see the links that user Tressa88 had posted and boasted about the ‘dumps’. But as usual they were either ‘onion’ links for Bitcoin wallet or belonged to any private network and they were meant for the dark web transactions only.
If you go through the whole message, you would not probably find any mention of Yahoo! data at first glance. Instead Tress88 said that he was ready to sell user profile data from other sites such as MYSPACE, MOBANGO and the like. This part of the message was important as on the last line of the list he hinted about many other sites.
1) VK.COM 137.000.000 email
accounts; pass_pfone; pass
2) MOBANGO_6.000.000 entries id: email; pass
3) MYSPACE_380.000.000 id
records: mail: hash
4) QIP-133.000.000 records
10) And many other sites. Specify in Message.
He was ready to sell from MYSPACE and other sites, including Russian social media. And the largest data belongs to MYSAPCE — it has almost 400 million user profile database. But there was a hint that he has something special to announce at the end of the page.After his first post, within eight hours Tressa88 got an answer from another user called Mr Mongo. And then afterwards users such as ‘Fifty’, ‘Edgar’ and ‘ionline’ joined the conversation asking questions about the data and in no time it became international news and because of that Yahoo! had to admit on September 22: “We believe that at least 500 million user accounts were stolen, which would make it the biggest breach of all time, bigger than the MySpace breach of 427 million user accounts.”Remember the list, Tressa88 posted in that message board. MYSPACE was among them and the number matched with the Yahoo! statement.
As their conversation moved forward, Tressa88 kept writing like this on March 28 last:
Reviews have to exploit. kardklub Fak and others.
Dame forward to nick a turnip.
There are many other dumps, full format, and a lot of different dating mail; pass
Look at the date on which Tressa88 wrote his second message. It was in 2016 on March 28 and on September 22, after nearly six months, Yahoo! again published a long statement on their website: “It is confirmed, based on a recent probe, a copy of certain user account data was stolen from our network in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers…..”. In the same breath, Yahoo! assured its users that the stolen data did not contain credit card and debit card details.
Was this assurance enough to have the peace of mind? No! Any computer literate person knows that any type of profile information may invite Phishing attacks much later once black hat hackers get that profile data in their possession.
The hackers will definitely use it for social engineering. Both these hacking tricks involve disguise as the hacker may appear as a friend or the user’s known bank source. An innocent user will never suspect and once he/she clicks a link sending by the known ‘bank’ source, the link leads to a fake login page that collects the user’s login credentials and delivers them to the hackers.
By the time when the whole world came to know about the biggest data heist in the history of web, the cyber security people were in tizzy. The question that tormented the cyber security personnel was — when the Yahoo! data breach occurred in 2013, why did Tessa88 take so many years to announce about the ‘dumps’? What happened in between? Had they social engineered millions of people in between? Had they exhausted all potentials of Phishing attacks in between?
By the time the entire world came to know about the Yahoo! data heist, the cyber security personnel were in a tizzy
Later it came out that the stolen profile database included plenty of American military and security personnel who used to keep their official emails as recovering emails in their Yahoo! accounts. Was there really any state actor functioning behind when that attack took place as Yahoo! claimed? Did Tressa88 act as a front for any foreign spy master? Or the black hat hackers simply sold the stolen data to any state actor? And so the mystery deepens.
On December 14, 2016, Yahoo! again issued a statement: “Yahoo! has identified the data security
issues concerning certain user accounts. Yahoo! has taken steps to secure user accounts and is working closely with law enforcement.”
But it was too late.
The damage has already been done. You will never get the exact figure of individual victims. Unsuspecting users, who normally use the same username and password combinations in various sites, fall prey easily to the cyber criminals and these gullible people have a tendency to click every link sent by the fraudsters disguised as ‘friends’ and ‘banks’ without hesitation or suspecting any fraud.
In the last year’s RSA Conference, ‘Tripwire’ conducted a survey. It asked 200 security professionals to express their concern about the state of Phishing attacks and it came out that more than half (58 per cent) of respondents stated their organisations had seen an increase in Phishing attacks in the past year. ‘Verizon’, in its 2016 Data Breach Investigations Report, noted that the growth of Phishing attacks in both frequency and sophistication poses a significant threat to all organisations.
Now, think about those who don’t even know that clicking a link may spell disaster for them, at least
financially. Let us again forget about India. Consider the case of British supermarket giant, Tesco Bank. Earlier November last year, the consumer finance wing of Tesco Bank had to freeze its online operations after as many as 20,000 customers had their money stolen from their accounts. They admitted in their website that nearly 40,000 accounts had been compromised and half of those had lost their money.
It’s really difficult to diagnose the Phishing attacks in isolation when someone steals money from a British account sitting many thousands of miles away in a different country.
‘All-in-One-Checker,’ is a hacking tool — it is available in the market — which can check if the hacked username and password combinations from one website work on another website or not. So, there are plenty of depressing possibilities that these black hat hackers stole the data much before and exhausted all the ways of making money and after that they decided to make some final dollars and appeared after three years.
Now think about those who don’t know that by clicking a link you are leading yourself into losing a lot of money
‘Yahoo!’ claimed in its statement that they found some state actors behind the whole breach. By the middle of 2016, we came to know about one more hacker — ‘Peace of Mind’. A few months later, Tressa88 started selling through Russian underground forums, the same data resurfaced in The Real Deal Market (TRDM) — a dark web marketplace. This time the seller’s name was ‘Peace of Mind’ and the hacker was identified as male. A clear rivalry started between them as Tressa88 later told a security farm, ‘Peace_of_mind [is] a faggot who takes undue credit’. According to Tressa88, ‘Peace of Mind’ was his accomplice with whom “I shared a dump for analysis! And he started selling it.” ‘Peace of Mind’ made same allegations about ‘Tressa88, “He stole [the hacked databases] from an old buddy long ago and started selling them.”
Tressa88 accused Peace of Mind had been cheating him since he gave the latter a few database dumps to decrypt. Calling Tressa88 a thief, Peace of Mind said one of his old friend had had the dumps originally, but Tressa88 stole from him and started selling it. As soon as the sabre-rattling died down, other hackers started pelting the TRDM with Denial of Service’ attacks. The black hat hacker community got angry because the ‘dumps’ were not up to the mark. The buyers were disgusted with poor quality of ‘dumps’. The reason was simple. They had hoped they could gain financially from those ‘dumps’ by duping innocent people.
One is not in a position to decide whether this was pure drama and they had made this story simply to show the investigators a different line of attack. All we know know is that in the past two to three years countless people had their money stolen without knowing the source of the fraudulent activities.
All the time through the TOR NETWORK forums people want information about other people in exchange of money. What type of information? Let’s have a look at the ‘INTEL EXCHANGE’ forum (HTTP:// rrcc5uuudhh4oz3c.onion). A user asks, ‘im trying to get some info on a person. her name is ‘….. Shes from sarasota florida, got 2 kids — ‘….’ and ‘…..’ she did me wrong so im looking for all the info I can get on her.’ (I have kept the spelling unchanged and the names withheld). Another user asks about an ‘Onion’ site and the forum administrator warns that the site might be a FBI honey spot.
But these types of people who are asking for trivial help in the underground forum are not concerns of the civilised world. What happened after Tressa88 and Peace of Mind had started selling the ‘dumps’ was the perfect storm. The black hat hackers went for a ‘Denial of Service’ attacks on TRDM and tried to shut it down because there had been a feeling among them that they were cheated by users, Tressa88 and Peace of Mind. This is proof enough to show how common people become the main target of these fraudsters.For the time being, we may conclude that the financial disaster has just begun. It has not completed the full circle yet. We have to wait for another five or 10 years to know its full outcome.
From the Digital India perspective, one may also hope that the government would organise more awareness campaigns on how to spot a Phishing attack. Otherwise innocent people may involuntarily give these new-age cyber criminals free rein to exploit the digital dream.